Gartner's Litan Warns of EMV Fraud Risks'Issuers Really Have to Pay Attention to How They Implement EMV'
Although EMV is a far more secure payments technology than magnetic-stripe payment cards, it can be exploited for fraud if it's improperly implemented, warns Gartner analyst Avivah Litan.
Some issuers in markets outside the United States that have already completed the shift to EMV have learned the hard way that - done wrong - EMV can actually fuel counterfeit card fraud, not curb it, Litan says.
"It's not the easiest technology to implement," Litan explains during the second part of a two-part interview with Information Security Media Group. "We've seen in other countries that card issuers that didn't implement it completely properly in the beginning weren't checking the cryptographic values that were coming over with the transactions. They assumed if it was [processed as] an EMV transaction that it was OK; but when they let it go and authorized those transactions, they later found that those transactions turned out to be fraudulent."
The problem is that if issuers don't check the cryptographic values associated with the card number to ensure that the card is, in fact, EMV, it opens a window for fraudsters to push through magnetic-stripe transactions, using stolen card numbers, as EMV transactions.
"The lesson there is that the issuers really have to pay attention to how they implement EMV," she says.
Liability Shift Date Looms
As the October, fraud liability shift date for EMV looms, U.S. card issuers and retailers are working overtime to get chip cards delivered to consumers and install EMV-compliant point-of-sale devices at merchants.
Implementation is proving challenging for some merchants, Litan says, because not all processors are EMV-certified, and not all of the terminal manufacturers are equipped to sell EMV-certified point-of-sale devices.
"There are a lot of moving parts for credit card and debit card transactions," she says. "They all have to be upgraded for this EMV protocol properly. ... There are a lot of kinks to work out, and criminals just take advantage of it, and they've been doing that for the last year. So, EMV is not going to stop counterfeit fraud right away, because of these sophisticated criminals that know how to create bogus EMV transactions."
The good news, however, is that once all of the kinks are worked out, EMV will reduce counterfeit card fraud, Litan says, pointing to past experience in other nations. The bad news is that fraud will migrate to card-not-present channels, she adds. "So the retailers and the banks have to prepare for that."
During this interview, Litan also discusses:
- Why EMV is likely to be the catalyst that finally pushes mobile payments forward;
- Why retail breaches don't have long-term impact on consumer buying behavior; and
- New fraud trends, in the wake of EMV, for which banks should be bracing.
Be sure to check part one of this interview, featuring a discussion of cyber extortion, insider threats and emerging authentication solutions banking institutions are investing in to address everything from new account fraud to business email compromise.
Litan, a vice president at Gartner Research, is a recognized authority on financial fraud. She has more than 30 years of experience in the IT industry. Her areas of expertise include financial fraud; authentication; access management; identity proofing; identity theft; fraud detection and prevention applications; and other areas of information security and risk. She also covers security issues related to payment systems and PCI compliance.